metamorpherrat | 92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369

General

Target

92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe
Size

78KB
MD5

45214b778b2bb1a486868d6f6c4c0930
SHA1

3cc4a98c1531d378fc63079f94840bf581f25348
SHA256

92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369
SHA512

9f3627b77b44bc2ecfea10294e4573e95908904f6b838692861c4dc382d9246a1c723167b13e70a7a55bbb92688bd6841c967d9136321aef396c7da5dfee4c90
SSDEEP

1536:lVPy5QpJywt04wbje3IgTazcoOEEQLwdCRoaeuProYMHQti6hI9/E17g:PPy5uJywQjDgTLopLwdCFJzu9/B

Score

10^/10

metamorpherrat discovery rat stealer trojan

Malware Config

Signatures

MetamorpherRAT
Metamorpherrat is a hacking tool that has been around for a while since 2013.
trojan rat stealer metamorpherrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe

Deletes itself 1 IoCs

pid	Process
4984	tmpBA76.tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
4984	tmpBA76.tmp.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpBA76.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe
Token: SeDebugPrivilege	4984	tmpBA76.tmp.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1680	2176	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe	84
PID 2176 wrote to memory of 1680	2176	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe	84
PID 2176 wrote to memory of 1680	2176	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe	84
PID 1680 wrote to memory of 1484	1680	vbc.exe	86
PID 1680 wrote to memory of 1484	1680	vbc.exe	86
PID 1680 wrote to memory of 1484	1680	vbc.exe	86
PID 2176 wrote to memory of 4984	2176	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe	89
PID 2176 wrote to memory of 4984	2176	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe	89
PID 2176 wrote to memory of 4984	2176	92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe	89

C:\Users\Admin\AppData\Local\Temp\92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe
"C:\Users\Admin\AppData\Local\Temp\92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1znsnzhr.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC89.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAA7ACB6C9DFC49CAAC4728A479119B0.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484
- C:\Users\Admin\AppData\Local\Temp\tmpBA76.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpBA76.tmp.exe" C:\Users\Admin\AppData\Local\Temp\92d4d3494e7edc1c4c7a2eb3466cfafd2d53d77b72674844337e5d2f8b0b6369N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1znsnzhr.0.vb

Filesize
14KB

MD5
49c6b1f8062af01551b55daf9089bd02

SHA1
8d413691bee1d7d8019b8f6878fb954641a85fdc

SHA256
db1db56712043f7bb176bc33d5b26ee8801f39276ce47141ba961ed7925a3036

SHA512
ec9ded16de7562cb6ca0a4f95b23b6e5d28ce89cbab209b7db8c8da9154883c97d9612b2c59d99b884ab5ba2f5db435d21e98e9babb13ad647c75e4c1a942db9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1znsnzhr.cmdline

Filesize
266B

MD5
076d93b6b054ec6ba2364d0aae4b77f5

SHA1
9b48d1df4fb69c21019994b2c2d4ba012e840d08

SHA256
104b658e5866d266359b39b5c05120f16aa774cec2518002a74ed5a502291826

SHA512
12fcfbaec6281547f2f160683021dd10c0fc4cba79d99a2fea996e0c5a56ee07187ba68f615e2102700daf1a091a2a58012236137be5dcc94a2c9c6ce086f61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC89.tmp

Filesize
1KB

MD5
a07faac0467a09b9f730602b1751caf9

SHA1
7b24529e3e1c6dca85cccf991f1c9c49b40abdf0

SHA256
d88714088312f6ddf043c9a80cd71b86db01dc8c5369db5ad8d70903dbbace10

SHA512
2966135f98959340596dd7c376627f2568acac29856944681a541e4eb385b1609a48dea9771047549bffdebb95689e7e4e3107ef959e086a1cc414a2e8b5e072

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBA76.tmp.exe

Filesize
78KB

MD5
45006f1cb35bb15950450dfbeaec6234

SHA1
73c24a93ae6eccd458ad773b8c2de24568b4802e

SHA256
c2e15f5d2839e0f1451ba3ca0488100f866d683a22052cc304b1e91484751dde

SHA512
2e6d62ec3bfbcc446de5897305ad89a38abf2c9205ee67ae23b2d0b557bfb2eb75057905e587822dad321f03ac968adc493926527d5c2047a9f3ee617a760bf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAA7ACB6C9DFC49CAAC4728A479119B0.TMP

Filesize
660B

MD5
9737ca6158bb369e2842816b1e0208a7

SHA1
c3d8e68936753e7e7adcae9e4f187f1abce80bc8

SHA256
750db64e081b1597b800cccdda2154618c21d5da5a7645d9297ace838637c738

SHA512
f4eca1bd57e20024732e356ca79f5cfe2ded8553fffdf8f08743ac174d74853f0991189601a62d69162758aa5d1c940f6ca8fd3214987216d9cb22867c2c6e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
484967ab9def8ff17dd55476ca137721

SHA1
a84012f673fe1ac9041e7827cc3de4b20a1194e2

SHA256
9c0a54047f133cf4e3e4444aa57cc576c566218217ea02ad7c04a408ad01791b

SHA512
1e9a0cc800543dada73e551ee714001c4d6c57a595ea2986a4dd8889d1dffd1557735580c694e5feb0b7c27c1a4b3e71a95fab8baf80839f42f80e2109cbe2d7

Download Submit
memory/1680-18-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/1680-9-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2176-22-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2176-0-0x0000000074932000-0x0000000074933000-memory.dmp

Filesize
4KB

Download
memory/2176-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/2176-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-23-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-24-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-25-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-26-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-27-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-28-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download
memory/4984-29-0x0000000074930000-0x0000000074EE1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing